b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n    ON-SITE SECURITY CONTROL\n        AND AUDIT REVIEW\n       AT HEARING OFFICES\n\n\n   September 2007   A-12-07-17080\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 28, 2007                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   On-site Security Control and Audit Review at Hearing Offices (A-12-07-17080)\n\n\n           OBJECTIVE\n           Our objectives were to assess (1) the Social Security Administration\xe2\x80\x99s (SSA)\n           procedures for selecting hearing offices for On-site Security Control and Audit Reviews\n           (OSCAR), (2) SSA\xe2\x80\x99s system for ensuring appropriate correction of deficiencies\n           identified through OSCARs, and (3) additional steps SSA can take to enhance the\n           OSCAR Guide.\n\n           BACKGROUND\n\n           SSA must comply with the Federal requirements associated with management controls\n           and provide assurances that its financial, programmatic and administrative processes\n           are functioning as intended. These requirements include the Federal Managers\'\n           Financial Integrity Act (FMFIA). 1 SSA designed the OSCAR program to satisfy the\n           Federal requirements stated in the FMFIA.\n\n           The Office of Disability Adjudication and Review (ODAR) administers 140 hearing\n           offices located in 10 regions throughout the United States. 2 ODAR\xe2\x80\x99s Headquarters\n           (HQ) is responsible for conducting OSCARs at these hearing offices. 3 In addition to\n           using its own staff, HQ has hired contractors in the past to perform these reviews.\n           These reviews cover a number of programmatic and administrative functions, including:\n           (1) third party draft accounts; (2) acquisitions; (3) time and attendance; (4) security of\n           automated systems; and (5) physical and protective security.\n\n\n\n           1\n               Public Law 97-255.\n           2\n            On April 3, 2006 the Commissioner of Social Security established the Office of Disability Adjudication\n           and Review, which replaced the Office of Hearings and Appeals.\n           3\n            Throughout the report we will use HQ in sections to denote the involvement of HQ management.\n           ODAR management has stated that during our 5-year review period the organization had various\n           management structures.\n\x0cPage 2 - The Commissioner\n\n\nUnder current OSCAR procedures, ODAR is required to review 10 to 20 percent of\nhearing offices annually and complete its review of all offices within 5 years, 4 with the\nunderstanding that accomplishment of this requirement is contingent on funding. In\ngeneral, an OSCAR is supposed to be completed in 1 visit and, within 30 calendar\ndays, the data and findings are supposed to be analyzed and a written report issued,\nincluding corrective actions. Once the final report is provided to the audited\ncomponent, the hearing office manager has 30 days to respond (either directly or\nthrough its regional office (RO)) with a report of the corrective actions planned and/or\ntaken. Also, the office/component should forward to HQ, within 90 days of issuing the\ncorrective action report, a validation report stating that corrective actions have been\nimplemented.\n\nIn addition to OSCARs, there are other reviews performed on hearing offices which\nserve as compensating controls. ROs perform administrative reviews on their hearing\noffices once every 3 years. An administrative review covers the same scope as an HQ\nOSCAR plus other areas such as a workload assessment. Also, each Hearing Office\nDirector (HOD) conducts an annual self-OSCAR of the hearing office, except during the\nyear a HQ OSCAR is performed.\n\nRESULTS OF REVIEW\n\nDuring Fiscal Years (FY) 2002 through 2006, ODAR did not meet the 10 percent\nnational review threshold in 4 out of 5 years. In addition, ODAR was able to perform\nOSCARs at only 70 of the 140 (50 percent) hearing offices during the 5-year period.\nThis occurred because ODAR was in the process of establishing a formal OSCAR\nprogram and other reviews limited their OSCAR coverage during this period. During\nFY 2007, ODAR plans to perform OSCARs on 20 percent of the hearing offices. We\nalso found that during our review period ROs\xe2\x80\x99 administrative reviews were not\ndocumented in writing and self-OSCARs did not fully identify deficiencies, minimizing\nthe usefulness of these compensating controls. In addition, we found that OSCAR\nreports were not prepared timely for hearing office action. Some recommendations had\nnot been implemented 18 months after the report was provided to the hearing office,\nand ODAR was not regularly collecting and reviewing validation reports, which may\nhave contributed to the lack of follow-through at the hearing offices. Finally, the\nOSCAR guidance could be more comprehensive, covering additional topics, such as\nphysical security at permanent remote sites and protection of sensitive data.\n\n\n\n\n4\n  \xe2\x80\x9cAnnually, [ODAR] will review 20 percent of the ODAR field and headquarter offices/components under\ntheir jurisdiction or use the 10 percent of the targeted review process each year and complete all\noffices/components within 5 years. Accomplishment of the reviews is contingent on funding.\xe2\x80\x9d See ODAR\nOSCAR Guide, Review Requirements, April 2006, p. 3.\n\x0cPage 3 - The Commissioner\n\n\nOSCAR REVIEW COVERAGE\n\nODAR did not perform the required number of OSCAR reviews at hearing offices during\nour 5-year review period primarily because HQ was in the process of establishing the\nOSCAR program and other reviews of the hearing offices were being performed. We\nalso found that other compensating reviews were not an adequate control in the\nabsence of a full HQ OSCAR.\n\nRequired Coverage\n\nThe current OSCAR guide requires that ODAR review 10 to 20 percent of all hearing\noffices annually and complete the review of all within 5 years. However, as shown in\nTable 1, ODAR reviewed less than 10 percent of hearing offices in 4 out of 5 of the\nFYs. Moreover, ODAR reviewed only 70 of its 140 hearing offices, or 50 percent,\nduring the 5-year period.\n\n            Table 1: Headquarters OSCARs During FYs 2002 through 2007\n                                   (Related to 140 Hearing Offices)\n                                        Number of Hearing\n                                        Offices Covered by     Percentage of OSCARs Performed\n            Fiscal Year                      OSCARS                 of Total Hearing Offices\n             2002                                 4                             3%\n             2003                                 3                             2%\n             2004                                 3                             2%\n             2005                                48                            34%\n                                                    1                             1\n             2006                               14                             9%\nTotal Hearing Offices                            72                            50%1\n             2007                             28 (est.)                      20% (est.)\n\nNote 1: While 14 OSCARs were performed in FY 2006, 2 were follow-up OSCARs during the 5-FY\nperiod. OSCARs were conducted on the Pasadena hearing office in FYs 2004 and 2006 because it\nrelocated; and on the Denver hearing office in FYs 2005 and 2006 because the initial OSCAR identified\nproblems that necessitated further review.\n\nOur review of specific regional coverage found ODAR conducted OSCARs at\n80 percent or more of the hearing offices in 3 regions during the 5-year period (see\nTable 2). However, 4 regions were below 50 percent coverage for the period.\n\x0cPage 4 - The Commissioner\n\n\n\n                          Table 2: OSCAR Coverage Per ODAR Region\n                                 During FYs 2002 through 2006\n                                                    Number of Hearing\n                         Number of Hearing             Offices with\n              Region         Offices               Headquarters OSCAR      Percentage\n                 I                 7                          6               86%\n                 II               14                          7               50%\n                III               17                          6               35%\n                IV                31                         14               45%\n                 V                19                          8               42%\n                VI                16                          7               44%\n                VII                7                          4               57%\n                VIII               5                          4               80%\n                IX                20                         10               50%\n                 X                 4                          4              100%\n               Total             140                         70               50%\n\nResources and OSCAR Selection\n\nDuring FYs 2002 through 2004 ODAR did not perform all the OSCARs needed to meet\nthe 10 to 20 percent requirement. When we discussed this with ODAR management\nwe were told that the organization was in the process of establishing the OSCAR\nprogram during this period. Moreover, ODAR management noted that from FY 2004\nthrough April 2006 ODAR was conducting Hearing Office Management Process\nReviews, which took resources away from the HQ OSCAR process.\n\nDuring FY 2005, additional resources allowed ODAR to perform HQ OSCARs at\n48 hearing offices. 5 Accordingly, during that year ODAR exceeded the 10 to 20 percent\nrequirement. However, our calculations show ODAR fell below the 10 percent\nrequirement again in FY 2006 because 2 of the 14 OSCARs it performed were follow-\nup OSCARs on hearing offices that had already undergone an OSCAR during this\nsame 5-year period.\n\nODAR management stated that the FY 2005 rate of HQ OSCARs was not sustained\nbecause during FY 2006 ODAR conducted OSCARs at the 10 ROs, which did not count\ntoward the 140 hearing offices 5-year goal. ODAR wanted to ensure that ROs\xe2\x80\x99\noperations complied with the OSCAR guide and the ROs were familiar with the OSCAR\nprocess and requirements. It is probable that ODAR would have met or exceeded the\n10 percent annual requirement if it had not been for the RO OSCARs. As of\nJune 2007, ODAR stated it expected to issue 28 OSCAR reports in FY 2007, which\nwould put ODAR at 20 percent coverage for the FY.\n\n\n5\n    A contractor was also brought in to assist with this OSCAR workload.\n\x0cPage 5 - The Commissioner\n\n\nIn deciding which hearing offices to review, HQ relies on recommendations from each\nRO. HQ annually requests that each of ODAR\xe2\x80\x99s 10 ROs recommend hearing offices\nwithin their regions for an OSCAR. Depending on the level of funding for OSCARs, as\nwell as the number of recommendations from the ROs, HQ decides on the number and\nthe location of the hearing offices to be reviewed during a particular FY. When we\ndiscussed this process with RO managers, we were told that they recommended\nhearing offices for OSCARs during the years when such offices were not scheduled for\nadministrative RO reviews and/or in cases where the RO had concerns about a\nparticular office.\n\nOther Hearing Office Reviews\n\nROs perform administrative reviews on their hearing offices once every 3 years. These\nRegional Office Management Reviews cover the same scope as a HQ OSCAR plus\nother areas, such as a workload assessment. After completing the review, the review\nteam orally briefs the hearing office management of its findings and recommendations.\nThese findings and recommendations were not documented. Although ODAR\nmanagement stated that the results of these reviews were not documented because\nthey contained sensitive information, 6 the failure to document the findings could result\nin management\xe2\x80\x99s inability to determine whether documented deficiencies were\ncorrected. Also, an audit trail would serve to guide future reviews to ensure deficiencies\ndo not continue.\n\nEach HOD also conducts an annual self-OSCAR of the hearing office except during the\nyear a HQ OSCAR is performed. These self-OSCARs are documented in writing. Our\nreview included six self-OSCARs from six hearing offices in five different regions. Of\nthese six reviews, we identified three self-OSCARs performed within 9 months of the\nsubsequent HQ OSCARs. We compared the findings resulting from a HQ OSCAR to\nthe findings in the self-OSCAR performed immediately prior in each of the three hearing\noffices.\n\nIn our review, we found that the HQ OSCARs were identifying issues not detected in\nthe self-OSCARs (see Table 3). For example, in January 2005 a self-OSCAR review\nwas conducted at the Colorado Springs Hearing Office, which identified only one\nfinding. The review found that the receptionist\xe2\x80\x99s workstation lacked a panic alarm, a\nrequirement in the Physical and Protective Security section in the OSCAR guide. In\nSeptember 2005, HQ staff performed an OSCAR review and documented a total of\n37 findings, including:\n\n\n\n\n6\n According to ODAR management, these reviews were not documented due to Freedom of Information\nAct and labor-management concerns.\n\x0cPage 6 - The Commissioner\n\n\n\xe2\x80\xa2      4 related to third party drafts,\n\xe2\x80\xa2      3 related to acquisitions,\n\xe2\x80\xa2      7 related to time and attendance,\n\xe2\x80\xa2      2 related to security of automated systems, and\n\xe2\x80\xa2      21 related to physical and protective security. The self-OSCAR finding concerning\n       the lack of a panic alarm at the receptionist\xe2\x80\x99s workstation was included among\n       these findings since it had not been corrected after the self-OSCAR.\n\nThe purpose of the self-OSCAR is to ensure hearing offices are aware of existing\npolicies and procedures, as well as taking steps to correct identified deficiencies.\nHowever, the disparity in findings noted above indicates the self-OSCAR review\nprocess is not always identifying such deficiencies.\n\n                Table 3: Headquarters OSCAR Versus Self-OSCAR Findings\n                                                         Total HQ                 Total Self-\n                                    HQ OSCAR             OSCAR      Self-OSCAR     OSCAR\n          Hearing Offices           Report Date          Findings   Report Date    Findings\n    Albuquerque, New Mexico           4/7/2005              34       1/29/2005        20\n    Colorado Springs, Colorado       9/30/2005              37       1/28/2005         1\n    Fort Worth, Texas                 9/30/2005            38        1/6/2005          5\n    Total                                                  109                        26\n\nSuccessful self-OSCARs are an important part of hearing office integrity since HQ\nOSCARs and RO administrative reviews cannot be performed at each location every\nyear. In FY 2005, the SSA Office of the Inspector General (OIG) performed audits\nrelated to physical security at hearing offices in all 10 ODAR regions. In those audits,\nwe identified physical security weaknesses in eight hearing offices 7 that did not undergo\nHQ OSCARs during the 5-year period covering FYs 2002 through 2006. These\nweaknesses included (1) lack of semiannual testing of intrusion detection systems and\nduress alarm systems, (2) poor key security, and (3) missing peepholes in hearing\noffice doors. It is likely that most, if not all, of these deficiencies could have been\ndetected and corrected as part of a more robust self-OSCAR process.\n\nTIMELINESS OF ISSUING OSCAR REPORTS\n\nThe majority of the HQ OSCARs exceeded the established 30-day timeframes for\npreparing OSCAR reports. In addition, the contractor hired to perform some of these\nOSCARs failed to issue a single audit within the established timeframes.\n\nWe examined the timeliness of issuing HQ OSCAR reports during a 12-month audit\nperiod (April 1, 2005 through March 31, 2006). The OSCAR guide requires the\nissuance of an OSCAR report within 30 calendar days from the completion of the\nOSCAR. Untimely issuance of HQ OSCAR reports could result in delaying\n7\n    These eight offices were located in seven regions.\n\x0cPage 7 - The Commissioner\n\n\nimplementation of OSCAR recommendations. During the audit period, 33 HQ OSCAR\nreports were issued; HQ performed 21, while the contractor performed 12. As shown in\nFigure 1, of the 21 HQ OSCAR reports, only 1 was issued within 30 days of the review\ncompletion date. It took 35 to 237 days to issue the remaining 20 reports, or an\n                     8\naverage of 127 days for all 21 reports. Also, of the 12 OSCAR reports issued by the\ncontractor, none met the 30-day requirement. However, it took less time to issue these\nreports than those HQ issued. The contractor\xe2\x80\x99s reports were issued within 43 to\n60 days of review completion date, or an average of 50 days. 9 Additional review data is\nprovided in Appendix D.\n\n                             Figure 1: Number of Days to Issue Headquarters OSCAR\n                                   Reports Versus Contractor OSCAR Reports\n                                       (April 1, 2005 through March 31, 2006)\n                             270\n                             240\n                             210\n            Number of Days\n\n\n\n\n                             180\n                             150\n                                                                                    Headquarters\n                             120\n                                                                                    Contractor\n                              90\n                              60\n                              30\n                               0\n\n                                              OSCAR Reports Issued\n\n\nTHE FOLLOW-UP PROCESS\n\nWe found that HQ OSCAR report recommendations were not being implemented timely\nat half of the hearing offices we visited. In addition, HQ was not collecting validation\nreports on a timely basis, which may have contributed to the lack of follow-through at\nthe hearing offices.\n\n\n\n\n8\n    This represents a median of 129 days.\n9\n    This represents a median of 51 days.\n\x0cPage 8 - The Commissioner\n\n\nHearing Office Actions\n\nSome of the hearing offices were not timely implementing the HQ OSCAR\nrecommendations. We reviewed a sample of 6 OSCAR reports during April and\nMay 2007 and found that more than 18 months after issuing these HQ OSCAR reports\n3 hearing offices had not implemented 15 to 32 percent of their recommendations (see\nTable 4). Unimplemented recommendations related to deficiencies in a number of\nareas, such as (1) semiannual testing of intrusion detection systems and panic alarm\nsystems; (2) availability of fire extinguishers; and (3) properly completing, processing\nand certifying leave requests.\n\n               Table 4: OSCAR Recommendations Not Implemented\n                                       OIG                 Recommendations\n                       HQ OSCAR       Review      Total         Not       Percent Not\n    Hearing Office     Report Date     Date      Number     Implemented  Implemented\nAlbuquerque, New\n                         4/7/2005    4/18/2007      34            5            15%\nMexico\nColorado Springs,\n                         9/30/2005   4/17/2007      37           12            32%\nColorado\nDowney, California        6/3/2005   4/19/2007      17            0             0%\nFort Worth, Texas        9/30/2005   5/30/2007      38            0             0%\nManchester, New           6/3/2005   5/31/2007      30            0             0%\nHampshire\nVoorhees, New Jersey     5/5/2005    6/5/2007       25            7            28%\nTotal                                              181           24\n\nIn Table 5, we divided these OSCAR reports\xe2\x80\x99 recommendations into those requiring\nfunding and those not requiring funding to implement. We did the same with the\nrecommendations that were not implemented. As indicated in Table 5, all three offices\nwith unimplemented recommendations had recommendations that did not require\nfunding. These hearing offices, at a minimum, should have implemented all the\nrecommendations not requiring funding.\n\x0cPage 9 - The Commissioner\n\n\n      Table 5: Recommendations Requiring Funding/Not Requiring Funding\n                                    OSCAR Report                Recommendations Not\n                                   Recommendations                  Implemented\n                            Do Not                            Do Not\n                           Require     Require       Total   Require   Require    Total\n      Hearing Offices      Funding     Funding               Funding   Funding\nAlbuquerque, New Mexico       32          2           34        5         0         5\nColorado Springs,\nColorado                      24          13          37        4         8         12\nDowney, California             5          12          17        0         0          0\nFort Worth, Texas             20          18          38        0         0          0\nManchester, New\n                              27          3           30        0         0         0\nHampshire\nVoorhees, New Jersey         23            2          25       6          1          7\nTotal                        131          50         181       15         9         24\n\nCORRECTIVE ACTION AND VALIDATION REPORTS\n\nAs stated earlier, the OSCAR guide requires the hearing office to forward to HQ, within\n90 days of issuing the corrective action report, a validation report confirming that all\ncorrective actions have been implemented. However, HQ does not hold each hearing\noffice to this 90-day requirement and does not require the hearing offices to forward the\nvalidation reports. Instead, HQ staff told us they follow-up periodically with each RO\nabout its hearing offices\xe2\x80\x99 implementation of OSCAR recommendations.\n\nOur earlier finding that three hearing offices had not implemented a number of\nrecommendations indicates that the validation reports could have been useful to\nmanagement. We believe that HQ should ensure components submit validation reports\nwithin the required 90 days unless the component has provided a valid reason that it is\nunable to do so. By the time the validation report is issued, the reviewed component\nshould, at a minimum, ensure that all recommendations not requiring funding were\nimplemented. Also, it may be helpful to both the hearing office and HQ if the report\nindicated which recommendations required funding, along with the dollar amount\nneeded, since we believe that this would speed up the corrective action process.\n\nADDITIONAL STEPS\n\nOur review found a few areas where the OSCAR guidance could be more\ncomprehensive. We believe additional guidance related to remote hearing sites and\nsensitive personal data could improve oversight of the hearing offices.\n\x0cPage 10 - The Commissioner\n\n\nPermanent Remote Hearing Sites\n\nThe current OSCAR guidance does not require a review of permanent remote hearing\n      10\nsites. As of June 2007, ODAR had 143 permanent remote hearing sites throughout\nthe Nation. These remote sites are used on a regular basis by ODAR personnel and\nthe public and may contain some of the same problems detected at hearing offices.\nFor example, prior SSA OIG audits have found physical security weaknesses at a\nnumber of remote site locations. 11 For this reason, we believe that permanent remote\nsites should undergo OSCARs and the OSCAR guide be revised accordingly.\n\nProtection of Sensitive Data\n\nCurrent hearing office OSCAR procedures did not include sufficient steps to ensure that\npersonally identifiable information (PII) contained in SSA\xe2\x80\x99s automated systems is\nprotected. Such procedures needed to be updated to provide for adequate review of\nhandling PII contained in SSA\xe2\x80\x99s automated systems.\n\nThe OSCAR guide\xe2\x80\x99s chapter 4, Security of Automated Systems, includes procedures\nfor reviewing SSA\xe2\x80\x99s automated systems and associated data at hearing offices.\nHowever, this guide was last updated in November 2004. The OSCAR guide should be\nupdated to consider current work environments that allow some ODAR staff to work\nfrom home using an SSA-provided laptop. For example, the OSCAR guide does not\ninclude a review of procedures in place to ensure safeguarding laptop computers\n                                                                                   12\nand/or the PII contained within the laptop computers taken outside hearing offices. In\naddition, the OSCAR could include a review of the digital recording laptops used to\nrecord hearings. 13\n\n\n\n\n10\n  ODAR has two types of remote sites\xe2\x80\x94permanent and temporary. According to ODAR criteria, a\npermanent remote site is a space that has been assigned to or leased for ODAR by the General Services\nAdministration in a city within the defined service area of a hearing office. A temporary remote site is a\nlocation where hearings are held in space not under a General Services Administration lease or\nassignment to ODAR.\n11\n     These OIG audits are limited distribution.\n12\n   In June 2006, SSA released interim guidance on safeguarding this information as part of its Information\nSystems Security Handbook, which provides basic security guidance for SSA employees, contractors, and\ngovernment or business partners who handle SSA information. The responsibility to protect PII applies at\nall times regardless of whether SSA employees, contractors or other Government personnel with this\ninformation are officially on duty or not on duty. SSA is working on an additional information technology\ndocument geared to the individual users and managers outlining all information technology security\nissues.\n13\n   In our August 2006 audit, Digital Recording Acquisition Project (A-12-06-26048), we noted that\nprotection over the equipment and associated data could be enhanced. We made four recommendations\nto SSA to improve its use and security of this equipment.\n\x0cPage 11 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nOur review of the OSCAR process found a number of areas in need of improvement.\nFor instance, ODAR has not met the 10 percent requirement over the 5-year period,\nthough the number of HQ OSCARs performed in FY 2007 represents an encouraging\ndevelopment if it can continue. Lack of national coverage, combined with weak\ncompensating controls via the RO administrative reviews and self-OSCARs, only\nincreases the risk that hearing office problems will remain undetected. For those\nOSCARs performed during our audit period, the reports could have been more timely,\nrecommendations should have been implemented, and HQ needed to track\nrecommendation compliance. Finally, the OSCAR guide itself could be improved to\nreflect the way ODAR does its work, from remote hearing sites to work-at-home.\n\nTo improve the OSCAR process and increase its effectiveness, we recommend SSA:\n\n1. Review funding priorities and ensure OSCARs are completed at all hearing offices\n   within a 5-year period, in accordance with established policy.\n\n2. Document Regional Office Management Reviews to the extent possible and\n   maintain copies for the next HQ OSCAR.\n\n3. Ensure hearing office management complete timely and accurate self-OSCARs, and\n   provide training, as appropriate.\n\n4. Ensure OSCAR reports are issued in a timely fashion, which includes working with\n   appropriate SSA components to ensure any contractor(s) assisting with this process\n   are also meeting contract specifications on report issuance.\n\n5. Ensure hearing offices complete a validation report within 90 days of issuing the\n   corrective action report, unless advance approval has been given for a delay.\n\n6. Update the OSCAR guide as appropriate to reflect changes in ODAR\xe2\x80\x99s working\n   environment, to include the treatment of permanent remote sites and protection of\n   sensitive data.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations and has already initiated corrective action. The\nfull text of the agency\xe2\x80\x99s comments is included in Appendix E.\n\n\n\n\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Sampling Methodology\n\nAPPENDIX D \xe2\x80\x93 Timeliness of Issuing OSCAR Reports\n\nAPPENDIX E \xe2\x80\x93 Agency Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                       Appendix A\n\nAcronyms\nFMFIA   Federal Managers\' Financial Integrity Act\nFY      Fiscal Year\nHOD     Hearing Office Director\nHQ      Headquarters\nODAR    Office of Disability Adjudication and Review\nOIG     Office of the Inspector General\nOSCAR   On-site Security Control and Audit Review\nPII     Personally Identifiable Information\nRO      Regional Office\nSSA     Social Security Administration\n\x0c                                                                      Appendix B\n\nScope and Methodology\nTo accomplish our objectives, we:\n\n   \xe2\x80\xa2   Reviewed Social Security Administration (SSA) policies and procedures, as well\n       as prior Office of the Inspector General audits.\n   \xe2\x80\xa2   Reviewed the criteria pertaining to the process of On-site Security Control and\n       Audit Reviews (OSCAR) at hearing offices.\n   \xe2\x80\xa2   Met with SSA staff to gain a better understanding of the OSCAR process, and to\n       observe and note related best practices.\n   \xe2\x80\xa2   Reviewed the OSCAR process at hearing offices, and its administration by\n       regional offices (RO) and the Headquarters (HQ) of the Office of Disability\n       Adjudication and Review (ODAR).\n   \xe2\x80\xa2   Considered other reviews compensating to OSCARs, such as administrative\n       reviews performed by ROs and self-OSCARs conducted by hearing offices.\n   \xe2\x80\xa2   Collected and analyzed data on hearing offices\xe2\x80\x99 OSCARs, ROs\xe2\x80\x99 administrative\n       reviews of hearing offices, and hearing offices\xe2\x80\x99 self-OSCARs using\n       questionnaires and matrices.\n   \xe2\x80\xa2   Obtained management information on all HQ OSCARS performed at hearing\n       offices during Fiscal Years (FY) 2002, 2003, 2004, 2005 and 2006. We also\n       obtained information on the FY 2007 HQ OSCAR process.\n   \xe2\x80\xa2   Collected and analyzed data related to the timeliness of issuing OSCAR reports\n       related to OSCARs performed by ODAR\xe2\x80\x99s HQ and those performed by a\n       contractor.\n   \xe2\x80\xa2   Selected 6 of the 33 HQ OSCARs for review and visited the hearing offices, as\n       indicated in Appendix C, to determine whether the OSCAR follow-up process\n       was correctly followed and that recommendations were implemented as\n       required.\n\nWe found data used for this audit to be sufficiently reliable to meet our objectives. The\nentity audited was the Office of the Deputy Commissioner for Disability Adjudication\nand Review. We conducted our field work from December 2006 through June 2007, in\nFalls Church, Virginia; Boston, Massachusetts; Manchester, New Hampshire;\nNew York, New York; Voorhees, New Jersey; Philadelphia, Pennsylvania; Dallas and\nFort Worth, Texas; Albuquerque, New Mexico; Denver and Colorado Springs, Colorado;\nand Downey, California. We conducted this audit in accordance with generally\naccepted government auditing standards.\n\x0c                                                                      Appendix C\n\nSampling Methodology\nThe Office of Disability Adjudication and Review (ODAR) administers 140 hearing\noffices. During Fiscal Years 2002 through 2006, On-site Security Control and Audit\nReviews (OSCAR) were performed on 70 of ODAR\xe2\x80\x99s 140 hearing offices. Our\npopulation totaled 33 hearing offices where Headquarters\xe2\x80\x99 (HQ) OSCARs were\nperformed during our audit period. Our audit period was the 12 months starting\nApril 1, 2005 and ending March 31, 2006.\n\nWe reviewed this 12-month population to select a judgmental sample of hearing offices\nin which we performed our field work. We determined our sample based on\ngeographical coverage, funding and proximity to our audit offices. We selected six\nhearing offices for review as indicated in Table C-1. We also performed a walk through\nof the process of OSCAR planning, follow-up and recommendation implementation at\nthe Philadelphia Regional Office and the Philadelphia East Hearing Office. In addition,\nwe obtained information from all 10 regional offices regarding HQ OSCARs and other\nreviews at hearing offices.\n\n                        Table C-1: Hearing Offices Reviewed\n ODAR Regions                          Hearing Office Location\n Region I          Manchester, New Hampshire\n Region II         Voorhees, New Jersey\n Region VI         Albuquerque, New Mexico\n                   Fort Worth, Texas\n Region VIII       Colorado Springs, Colorado\n Region IX         Downey, California\n\nWe included the results of the review of our sample, as appropriate, in the body of the\nreport.\n\x0c                                                                       Appendix D\n\nTimeliness of Issuing OSCAR Reports\nDuring our audit period (April 1, 2005 through March 31, 2006), 33 On-site Security\nControl and Audit Review (OSCAR) reports were issued; Headquarters (HQ) performed\n21, while a contractor performed 12. As indicated in Table D-1, of the 21 HQ OSCAR\nreports, only 1 was issued within 30 days of the review completion date. It took 35 to\n237 days to issue each of the remaining 20 reports, a median of 129 days and an\naverage of 127 days for each of the 21 reports.\n\n      Table D-1: OSCARs Performed by Headquarters During the Audit Period\n                                                                          Number of\n                                      OSCAR            OSCAR Report      Days to Issue\n      Hearing Offices              Completion Date      Issue Date          Report\n  1   Portland, Maine                  11/5/2004           6/30/2005          237\n  2   Manchester, New Hampshire       11/19/2004            6/3/2005          196\n  3   Fort Lauderdale, Florida         3/18/2005           9/19/2005          185\n  4   Mobile, Alabama                  12/3/2004            6/3/2005          182\n  5   Macon, Georgia                    4/1/2005           9/19/2005          171\n  6   Miami, Florida                  12/17/2004            6/6/2005          171\n  7   Fort Worth, Texas                4/15/2005           9/30/2005          168\n  8   Sacramento, California           2/18/2005           7/11/2005          143\n  9   Pasadena, California             1/14/2005            6/3/2005          140\n 10   Seattle, Washington               5/6/2005           9/19/2005          136\n 11   Evansville, Indiana              5/20/2005           9/26/2005          129\n 12   Downey, California                2/4/2005            6/3/2005          119\n 13   Knoxville, Tennessee              4/4/2005           7/21/2005          108\n 14   Oak Park, Michigan               6/10/2005           9/26/2005          108\n 15   Albany, New York                  4/8/2005           7/23/2005          106\n 16   Saint Louis, Missouri            4/12/2005           7/23/2005          102\n 17   Oklahoma City, Oklahoma          4/22/2005           7/25/2005           94\n 18   Colorado Springs, Colorado        7/1/2005           9/30/2005           91\n 19   Pittsburgh, Pennsylvania         6/17/2005           7/30/2005           43\n 20   Houston-Bissonnet, Texas         2/15/2006           3/22/2006           35\n 21   Louisville, Kentucky             7/22/2005            8/1/2005           10\n                                                     Total days              2,674\n                                                     Median days              129\n                                                     Average days             127\n\n\n\n\n                                           D-1\n\x0cAs indicated in Table D-2, none of the 12 OSCAR reports issued by the contractor met\nthe 30-day requirement. However, it took less time to issue these reports than those\nHQ issued. The contractor\xe2\x80\x99s reports were issued within 43 to 60 days of review\ncompletion date, a median of 51 days, and an average of 50 days.\n\n      Table D-2: OSCARs Performed by Contractor During the Audit Period\n                                                                        Number of\n                                 OSCAR Review        OSCAR Report      Days to Issue\n      Hearing Offices            Completion Date      Issue Date          Report\n  1   Hartford, Connecticut           4/6/2005            6/5/2005           60\n  2   Lexington, Kentucky            4/20/2005           6/13/2005           54\n  3   Voorhees, New Jersey           4/13/2005            6/5/2005           53\n  4   Kingsport, Tennessee           4/22/2005           6/13/2005           52\n  5   Albuquerque, New Mexico        2/16/2005            4/8/2005           51\n  6   Nashville, Tennessee           4/15/2005            6/5/2005           51\n  7   Eugene, Oregon                 3/16/2005            5/5/2005           50\n  8   Little Rock, Arkansas           3/2/2005           4/21/2005           50\n  9   Metairie, Louisiana             3/9/2005           4/28/2005           50\n 10   Flint, Michigan                 5/4/2005           6/17/2005           44\n 11   Paducah, Kentucky              5/11/2005           6/24/2005           44\n 12   Peoria, Illinois               3/23/2005            5/5/2005           43\n                                                   Total days               602\n                                                   Median days               51\n                                                   Average days              50\n\n\n\n\n                                         D-2\n\x0c                  Appendix E\n\nAgency Comments\n\x0c                                 SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 24, 2007                                           Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, "Onsite Security Control and Audit\n           Review at Hearing Offices\xe2\x80\x9d (A-12-07-17080)\xe2\x80\x94INFORMATION\n\n\nWe appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the recommendations\nare attached.\n\nPlease let me know if we can be of further assistance. Staff inquiries may be directed to\nMs. Candace Skurnik, Director, Audit Management and Liaison Staff, at 410 965-4636.\n\nAttachment:\nSSA Response\n\n\n\n\n                                               E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "ONSITE SECURITY CONTROL AND AUDIT REVIEW AT HEARING\nOFFICES" (A-12-07-17080)\n\nThank you for the opportunity to review and provide comments on this draft report. We\nrecognize the importance of complying with the Onsite Security Control and Audit Review\n(OSCAR) program which was designed to satisfy the requirements stated in the Federal\nManagers\xe2\x80\x99 Financial Integrity Act. We appreciate that the report notes our efforts to address\ndeficiencies in the Office of Disability Adjudication and Review\xe2\x80\x99s (ODAR) Management Control\nReview (MCR) process from fiscal year (FY) 2002 \xe2\x80\x93 FY 2004. In addition, it cites our positive\nmovement forward as ODAR transitioned from conducting management reviews of hearing\noffices to the formal OSCAR process. Although the report covers the last 5 years\n(FY 2002 \xe2\x80\x93 FY 2006), it accurately notes that ODAR did not begin conducting OSCARs as its\nmain MCR activity until late FY 2004. During the period covered by the report, ODAR\nconducted an internal review known as the Hearing Office Management Process Review\n(HOMPR), also known as a \xe2\x80\x9cself-OSCAR.\xe2\x80\x9d The HOMPR results were not documented in\nwriting. Rather, they were conveyed verbally to hearing and regional office management teams,\nlimiting our ability to track and follow through on the findings. Within this context, we\nacknowledge the need to continue our efforts to maintain and improve ODAR\xe2\x80\x99s OSCAR process.\nOur responses to the specific recommendations are as follows.\n\nRecommendation 1\n\nReview funding priorities and ensure OSCARs are completed at all hearing offices within a\n5 year period, in accordance with established policy.\n\nComment\n\nWe agree. We will ensure that OSCARs are completed at all hearing offices within the 5 year\nperiod.\n\nRecommendation 2\n\nDocument Regional Office Management Reviews to the extent possible and maintain copies for\nthe next Headquarters\xe2\x80\x99 OSCAR.\n\nComment\n\nWe agree. We plan to issue an appropriate reminder to our regional management teams by\nJanuary 31, 2008 and will maintain copies of the next Headquarters\xe2\x80\x99 OSCAR.\n\nRecommendation 3\n\nEnsure hearing office management complete timely and accurate self-OSCARs, and provide\ntraining, as appropriate.\n\n\n                                             E-2\n\x0cComment\n\nWe agree. We plan to provide training by February 28, 2008, as appropriate, to ensure that\nhearing office management completes timely and accurate self-OSCARs.\n\nRecommendation 4\n\nEnsure OSCAR reports are issued in a timely fashion, which includes working with appropriate\nSSA components to ensure any contractor(s) assisting with this process are also meeting contract\nspecifications on report issuance.\n\nComment\n\nWe agree. We will ensure that ODAR OSCAR reports are issued in a timely fashion. We will\nwork with the appropriate component responsible for ensuring the performance of any contractor\napproved to assist with the OSCAR process.\n\nRecommendation 5\n\nEnsure hearing offices complete a validation report within 90 days of issuing the corrective\naction report, unless advance approval has been given for a delay.\n\nComment\n\nWe agree. By January 31, 2008, we will issue an appropriate reminder to our regional and HO\nmanagement teams to ensure the completion of a validation report within 90 days of the issuance\nof the corrective action report, unless advance approval has been given for a delay.\n\nRecommendation 6\n\nUpdate the OSCAR Guide as appropriate to reflect changes in ODAR\xe2\x80\x99s working environment, to\ninclude the treatment of permanent remote sites and protection of sensitive data.\n\nComment\n\nWe agree. We are reviewing and expect to revise our ODAR OSCAR protocol and guide by\nDecember 31, 2007. This review of our OSCAR process will reflect the reorganization of\nODAR Headquarters as a Deputy Commissioner-level component. In addition, we will address\nthe extent to which we can include our permanent remote sites in the OSCAR process, keeping in\nmind that any such review will be an abbreviated version. Our review will also reflect ODAR\xe2\x80\x99s\neffort to maintain and improve the Agency-wide effort to protect sensitive data.\n\n\n\n\n                                               E-3\n\x0c                                                                      Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Walter Bayer, Director, Philadelphia Audit Division, (215) 597-4080\n   Michael Maloney, Audit Manager, Falls Church Audit Office (703) 578-8844\n\nAcknowledgments\n\nIn addition to those named above:\n   Ehab Bestawrose, Auditor-in-Charge\n   Yaquelin Lara, Auditor\n   Mary Dougherty, Senior Auditor\n   David Mazzola, Audit Manager\n   Toni Paquette, Program Analyst\n   Denise Molloy, Senior Analyst\n   Joshua Campos, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-12-07-17080.\n\x0c                           DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'